From: Leon Hwang <leon.hwang@linux.dev>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Jiri Olsa <jolsa@kernel.org>,
Emil Tsalapatis <emil@etsalapatis.com>,
Andrew Morton <akpm@linux-foundation.org>,
Shuah Khan <shuah@kernel.org>,
Puranjay Mohan <puranjay@kernel.org>,
Anton Protopopov <a.s.protopopov@gmail.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [RFC PATCH bpf 0/6] bpf: Disallow interpreter fallback for interpreter-unsupported insns
Date: Sat, 27 Jun 2026 00:11:45 +0800 [thread overview]
Message-ID: <79ca7f6b-5cd5-4c23-8ea9-7867d44046c5@linux.dev> (raw)
In-Reply-To: <20260626154330.33619-1-leon.hwang@linux.dev>
On 2026/6/26 23:43, Leon Hwang wrote:
> Sashiko reported two potential issues about interpreter fallback [1]
> [2].
>
> After verifying them by patch #7, I think they are real issues. With
Sorry, it should be the patch #6.
> LLM assistance, the interpreter does not support the internal
> BPF_PROBE_ATOMIC insn and the gotox insn (used for indirect jumps),
> either.
>
> 1) the user BPF_ADDR_SPACE_CAST insn
> the interpreter just ignores it.
>
> 2) the arena ST/STX/LDX insn
> the interpreter could hit the BUG_ON() in ___bpf_prog_run().
>
> 3) the BPF_MOV64_PERCPU_REG insn
> the interpreter could hit page fault, due to loading memory from
> invalid __percpu pointer.
>
> 4) the internal BPF_PROBE_ATOMIC insn
> the interpreter could hit the BUG_ON() in ___bpf_prog_run().
>
> 5) the gotox insn used for indirect jumps
> the interpreter could hit the BUG_ON() in ___bpf_prog_run(), too.
>
> Reject these insns on interpreter fallback path in
> __bpf_prog_select_runtime().
>
> This series is built on
> "bpf: Fix unaligned interpreter panic on JIT fallback path" [3]. The
> patch #7 is also able to verify the issue of un-JITed helper.
^ patch #6
>
> However, The patch #7 aims to verify the issues. I think it is not
^ patch #6
> proper to be applied to upstream, because it adds a stub
> 'bpf_jit_test_fail_task' to bpf_prog_jit_compile() for the tests.
>
> I'd like to drop the patch #7 in the next revision.
^ patch #6
Thanks,
Leon
>
> Link:
> [1] https://lore.kernel.org/bpf/20260608151347.2C77D1F00893@smtp.kernel.org/
> [2] https://lore.kernel.org/bpf/20260622150759.EC9071F000E9@smtp.kernel.org/
> [3] https://lore.kernel.org/bpf/20260615025316.24429-1-yangtiezhu@loongson.cn/
>
> Leon Hwang (6):
> bpf: Disallow interpreter fallback for user BPF_ADDR_SPACE_CAST insn
> bpf: Disallow interpreter fallback for arena insn
> bpf: Disallow interpreter fallback for BPF_MOV64_PERCPU_REG insn
> bpf: Disallow interpreter fallback for internal BPF_PROBE_ATOMIC insn
> bpf: Disallow interpreter fallback for gotox insn
> lib/test_bpf: Add interpreter-fallback tests
>
> include/linux/bpf.h | 1 +
> include/linux/filter.h | 4 +
> kernel/bpf/core.c | 69 +-
> lib/test_bpf.c | 800 ++++++++++++++++++++++-
> tools/lib/bpf/skel_internal.h | 2 +
> tools/testing/selftests/bpf/test_kmod.sh | 39 +-
> 6 files changed, 903 insertions(+), 12 deletions(-)
>
> --
> 2.54.0
prev parent reply other threads:[~2026-06-26 16:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 15:43 [RFC PATCH bpf 0/6] bpf: Disallow interpreter fallback for interpreter-unsupported insns Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 1/6] bpf: Disallow interpreter fallback for user BPF_ADDR_SPACE_CAST insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 2/6] bpf: Disallow interpreter fallback for arena insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 3/6] bpf: Disallow interpreter fallback for BPF_MOV64_PERCPU_REG insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 4/6] bpf: Disallow interpreter fallback for internal BPF_PROBE_ATOMIC insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 5/6] bpf: Disallow interpreter fallback for gotox insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 6/6] lib/test_bpf: Add interpreter-fallback tests Leon Hwang
2026-06-26 16:11 ` Leon Hwang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=79ca7f6b-5cd5-4c23-8ea9-7867d44046c5@linux.dev \
--to=leon.hwang@linux.dev \
--cc=a.s.protopopov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=puranjay@kernel.org \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.